1. Field of the Invention
The present invention relates to an encryption method for encrypting playback-limited contents, a decryption method for decrypting encrypted playback-limited contents, and a recording and reproducing apparatus that encrypts playback-limited contents and that records/reproduces the encrypted playback-limited contents.
2. Description of the Related Art
Conventionally, contents such as video data or audio data are recorded on a tape recording medium such as a video tape or an audio tape or on a disc recording medium such as a CD or a DVD. One of the problems with those media is that contents are sometimes illegally copied from those media through dubbing.
In addition, with the introduction of a digital method for recording video or audio data, contents are not only recorded on the media described above but also distributed through the data distribution function. This makes illegal copy protection more critical.
Next, how the copy of digital contents data is limited will be described. As more and more video or audio data is digitally distributed recently as described above, contents providers that distribute contents have placed a playback limitation on them such as “copy prohibition” or “single-copy permission.” Such digital contents data has the copy guard signal inserted into the contents to distort the contents image if a user, who has copied the contents, tries to display them.
A typical system using the above method is a macro vision system (pseudo sync pulse system, color stripe system). This system inserts special signals into a particular portion of the analog signals of “copy prohibited” contents to allow a recorder to record the contents while identifying the signals inserted into the particular portion. Therefore, when an attempt is made to reproduce the contents, the signals described above distort the image on the screen to make it difficult to view. In addition, when an attempt is made using a digital recorder to record contents using this copy guard system, the recorder detects those signals and does not record the contents. A digitally broadcast PPV (Pay Per View) program uses this system.
However, contents using this copy guard system may be copied normally by simply removing the signals that distort the screen, and an apparatus for circumventing the copy guard has been on the market.
For “single-copy permitted” contents, the copy generation is managed to prevent the contents from being copied more times than are permitted. A typical system using this method is CGMS (Copy Generation Management System). In this system, a particular digital signal (three values, that is, 1. Copy prohibited, 2. Copy permitted for one generation only, 3. Unlimited copy permitted) is built into a particular portion of contents digital signals, and a digital recorder identifies this particular signal and places a limitation on the copy operation as instructed by the digital signal built into the contents. The CGMS system is used also for managing the copy generation of an MD (Mini Disc).
However, the copy guard of the CGMS system described above may also be disabled by changing the copy generation flag from “Copy prohibited” to “Copy permitted”.
Considering those problems, the digital contents data itself is encrypted on a DVD before being recorded on the medium. Therefore, an attempt to obtain data from a DVD results in obtaining encrypted contents. In addition, because obtaining an encryption key is difficult, copying unencrypted digital signals becomes more difficult.
DES (Data Encryption Standard), one of those encryption systems, will be described. DES is a block encryption system where plain text (original text), encrypted text, and an encryption key are all 64 bits in size. Because 8 bits of the 64 bits of an encryption key are used for parity, the actual size of the encryption key is 56 bits.
FIG. 1 shows the basic configuration of DES. After exchanging the bits so that each two neighboring bits in the plain text are placed approximately 32 bits apart, the same transformation is performed for 16 stages repeatedly. In each stage, with the high-order 32 bits Ln-1 and low-order 32 bits Rn-1 each as a group, from the previous stage, they are transformed to Ln and Rn using a 48-bit key Kn received from the key generator, and are output to the next stage. After exchanging L16 and R16 that are output from the 16th stage, encrypted text is output by replacing the bits through IP−1.
On the other hand, the eight parity bits are removed from the key through selective replacement PC−1 and, at the same time, the remaining 56 bits are exchanged. After that, with the high-order 28 bits Cn and low-order 28 bits Dn each as a group, the key Kn is created in each stage while repeating shifting in each of 16 stages. Each of the 16 transformers, which is the basic unit of DES shown in FIG. 1, has the structure shown in FIG. 2 where the input (Ln-1, Rn-1) from the previous stage and the output (Ln, Rn) to the following stage satisfy the following relation:Ln=Rn-1Rn=Ln-1 EXOR f(Rn-1, Kn)
where EXOR indicates an exclusive OR and the function f(Rn-1, Kn) has the structure shown in FIG. 3.
The input Rn-1 to the function f, 32 bits in length, is extended to 48 bits through extensive replacement E. Next, after calculating the exclusive OR of the 48 bits and Kn on a bit basis, the result is divided into eight 6-bit units which are then input to boxes S1–S8. In each S box, the 6-bit input is non-linearly transformed to a 4-bit output. Finally, the bit positions of the 32 bits, composed of eight 4-bit outputs, are exchanged though the replacement P to produce the output, f(Rn-1, Kn).
Solving the DES basic transformation expressionsLn=Rn-1Rn=Ln-1 EXOR f(Rn-1, Kn)and then representing (Ln-1, Rn-1) with (Ln, Rn) gives the following expressions:Rn-1=LnLn-1=Rn EXOR f(Rn-1, Kn)=Rn EXOR f(Ln, Kn)This indicates that (Rn-1, Ln-1) may be obtained from (Rn, Ln) in the same way (Ln, Rn) is obtained from (Ln-1). This property means that data may be decrypted in the same way data is encrypted.
However, although the contents of a “copy prohibited” PPV digital broadcasting program may be viewed only once, a viewer must view that program during a fixed period of time during which the PPV program is broadcast. That is, for “copy prohibited” contents, the copyright owner intends to allow a viewer to view the contents only once but, in practice, limits the period of time during which the contents may be viewed. In addition, in such a case where a viewer is allowed to record “copy prohibited” contents on a recording medium and view the contents only once, a system that prevents the viewer from playing back once-played contents has not yet established. Furthermore, a method for erasing already-played-back contents while reproducing the contents, which is required to implement the system described above, is difficult to implement. For example, when data is deleted from a hard disc of a personal computer, the contents of the FAT of the file system are erased but actual data is not.
On the other hand, for “single-copy permitted” contents, after the contents are recorded once on a VCR (Video Cassette Recorder) or a HDD (Hard Disc Drive) of a recording and reproducing apparatus, the contents cannot be copied any more because a copy that will be made becomes a second copy. This prevents the viewer, who has played back the contents, from recording only a desired program for recording onto another medium for saving. Thus, for “single-copy permitted” contents, although the copyright owner intends to limit a medium to a single medium on which the contents may be recorded, it is not permitted to record the once recorded contents onto another medium and then erase the recorded portion of the original recording medium, that is, so-called contents movement is not permitted.
An another problem is encryption; that is, advancement in computer power makes it easy to break an encryption key. Using a fixed key for one unit of contents means that, once the key is broken, all the contents may be decrypted and, as a result, digital contents may be copied illegally. One method for avoiding this is to change the key with time. This method prevents the whole contents from being decrypted even if a key used for encrypting a part of contents is broken and therefore ensures safety as compared with a case when a fixed key is used. In addition, the keys used for encryption must be calculated when generating a plurality of keys at decryption time, and those keys and their seeds must be stored separately. One problem with this method is that it requires a large amount of storage as the number of keys increases. The “seed of a key” means information by which the key is generated.
Additionally, a block-chain encryption processing method, such as the one disclosed in Japanese Patent Laid-Open Publication No. Hei 9-107536, uses the encryption function E1 to encrypt P(1) based on the encryption key K and the initial value IV, uses the encryption function E2 to seqeuntially encrypt P(i) (2≦i≦n) based on the encryption key K and P(i-1), and generates encrypted data blocks (C(1), C(2), . . . , C(n)). However, in this method, because the encryption key K is fixed and because data on which encryption is based is data before being encrypted, there is a danger that encrypted text is decrypted.